NAAS can perform multipartition auditing, based on the configuration done by the user.
The process of configuring NAAS for multi partition setup involves using the NAAS Default configuration Utility in combination with creation and association of few NAAS policies manually depending on the Auditing requirements.
NAAS Default Configuration Utility configures NAAS for one partition. Auditing of a particular object in eDirectory depends on the Event Policies associated to it. During the Default Configuration an Agent is created for a selected eDirectory server. The Agent can Audit all the partitions / replicas hosted on that eDirectory server. It is must that ALL the objects (in Partitions) have governing Event policies associated with them, for them to be audited. The Default configuration associates Event polices to the partition for which NAAS was configured only. All other partitions (residing on the eDirectory server) need to have Event policies associated for them to be audited. Depending on the setups it may or may not be necessary to associate Event policies manually, since NAAS searches up to three levels up the tree to find a NAAS policy of any type for an object.
This section describes a few scenarios. The following figure depicts a sample eDirectory Tree. For each scenario an abstract section of the tree is considered and the impact of NAAS configuration and auditing is explained.
This scenario talks about configuring NAAS at eDirectory Tree root level. Read through it to get an idea of all steps which need to be performed for enabling multi partition auditing. But It is recommended to take this approach only if the number of objects in the tree is not very high. The rest of the scenarios cover various other scenarios of configuring at need basis.
To enable auditing for an entire eDirectory tree containing multiple partitions and servers, and comprising one NAAS Server, one central database, one Auditor, and multiple NAAS Agents:
Perform the NAAS default configuration at the root of the tree.
The policies are created and associated at root partition SILVEROAK.
Make these policies applicable to the entire tree to the lowest level.
Create a NAASSearchCriteriaPolicy with the following details.
Name: NAASSearchpolicy
Search Order: Object > Container > Group.
Search Level: 10. The search level should be set based on the current tree settings and should be greater than or equal to the depth of the tree.
Go to Properties page of the SILVEROAK > Associated NAAS Policies > Add NAASSearchPolicy, to associate it to the SILVEROAK.
Configure the NAAS Agent for the NCP servers that are to be audited.
Each agent can audit all the partitions hosted on that server.
The Agent needs to have the required rights to read the policies created during the NAAS Default configuration. By default only the agents in the Tree root partition are granted these rights.Perform the following steps to grant the rights to all agents which reside out side the Tree root partition if any.
Enable the NAASGloballyAuditable flag.
Right-click the partition Root object.
Go to Extensions and add an extension.
Select NAASGloballyAuditable and click OK.
Click OK in the message box
Enter a name for the flag.
Repeat the above steps for each partition that the agents are running on and for each respective partitions that agents are running.
Modify the properties of the Auditor Query Domain policy to set all the objects in the tree within the domain of the configured Auditor, so that the Auditor can get the audit data for the entire tree in the report.
Conditional. If the Auditor is not present in partition that the framework configuration is performed for, complete the following steps:
Grant the NAAS Server the Read rights to the naasRandomNonce, naasDomainList and naasSelectedDomain attributes of the Auditor.
Grant the Auditor the Write rights to the naasRandomNonce and the Read right to the naasserversList attributes of its own object.
Grant the NAAS Server the Read rights to all attributes of the naasAuditorQueryDomain object for that Auditor.
One or more NAAS Servers can be configured for a tree. The servers must be configured at the partition hosting the objects for the eDirectory server designated as the NAAS server. We recommend to have one NAAS Server for every geographical location. If the connectivity is fast, one NAAS Server can be configured for the whole tree.
Conditional. To create multiple NAAS Servers:
Create a NAAS Server using the Default Configuration Utility.
Right-click the NAAS Agent policy of the agent that contacts the server.
Go to Properties, enter the names of the Servers to be contacted and then click OK.
Grant the Read right to the naasPortNumber and the Host Device attribute for the NAAS Servers.
Grant the Read right to the Network Address attribute for the server objects hosting the NAAS Servers.
Grant the Read right to the Server policy of the NAAS Server.
Grant the Read right to the NAAS Database.
Grant the Read right to the naasPolLink, naasSearchPolLink and ACL attributes for all the objects in the partition.
Grant the Write right to its own naasPortNumber attribute.
Grant the NAAS Servers Read rights on this Auditor Query domain, and on the naasSelectedDomain, and naasRandomNonce attribute of the Auditor.
Grant the Auditor the Read right to the naasPortNumber and Host Device attributes of the NAAS Servers.
This scenario talks about configuring NAAS for the eDirectory root partition SILVEROAK. The NAAS Agent is configured for the S7 eDirectory server hosting the following partitions:
SILVEROAK is audited based on its default configuration.
BANGALORE, BOMBAY, DELHI, and JAPAN are audited based on the default configuration of SILVEROAK. For every object in these partitions, NAAS searches only three levels up to find the associated Event policy. If an effective policy is not obtained in up to three levels, then the object is not audited.
Therefore, Event policies should be associated, in order to perform multipartition auditing. This can be done by associating any new policy directly to the object or partition, or associating high-level search policy to the partition, so that the Event policies created using the default configuration of SILVEROAK are applicable to the current partition.
This scenario talks about configuring NAAS for the eDirectory root partition SILVEROAK. The NAAS Agent is configured for the S7 eDirectory server hosting the following partitions:
SILVEROAK is audited based on its default configuration.
For every object in D3, NAAS searches only three levels up to find the associated Event policy. Therefore, D3 is not audited because the objects in D3 are not associated to any event policies.
Therefore, Event policies should be associated to D3, in order to perform multipartition auditing. This can be done by associating required event policies or associating a high-level search policy so that the configuration of SILVEROAK will be applicable to D3. If you have created and associated new Event policies, required rights should be provided based on the steps given in Granting Rights to NAAS Agents .
This scenario talks about configuring NAAS for BANGALORE. The NAAS Agent is configured for the S1 eDirectory server hosting the following partitions:
BANGALORE is audited based on its default configuration.
This scenario talks about configuring NAAS for BANGALORE. The NAAS Agent is configured for the S1 eDirectory server hosting the following partitions:
BANGALORE is audited based on its default configuration.
For every object in BOMBAY, NAAS searches only three levels up to find the associated Event policy. Therefore, BOMBAY is not audited because the objects in BOMBAY are not associated to any event policies.
Event policies should be associated to BOMBAY in order to audit it. This can be done by associating required event policies to BOMBAY. If you have created and associated new Event policies, required rights should be provided based on the steps given in Granting Rights to NAAS Agents .
This scenario talks about configuring NAAS for BANGALORE. The NAAS Agent is configured for the S1 eDirectory server hosting the following partitions:
BANGALORE is audited based on its default configuration.
For every object in BOMBAY and DELHI, NAAS searches only three levels up to find the associated Event policy. Therefore, BOMBAY and DELHI are not audited because the objects in these partitions are not associated to any event policies.
Event policies should be associated to BOMBAY and DELHI in order to get them audited. This can be done by associating required event policies to BOMBAY and DELHI. If you have created and associated new Event policies, required rights should be provided based on the steps given in Granting Rights to NAAS Agents .
D1, D2, D3 etc., cannot be audited in this setup.
This scenario talks about configuring NAAS for BANGALORE. The NAAS Agent is configured for the S1 eDirectory server hosting the following partitions:
BANGALORE is audited based on its default configuration.
For every object in JAPAN, NAAS searches only three levels up to find the associated Event policy. Therefore, JAPAN is not audited because the objects are not associated to any event policies.
Event policies should be associated to Japan in order to audit it. This can be done by associating required event policies to JAPAN. If you have created and associated new Event policies, required rights should be provided based on the steps given in Granting Rights to NAAS Agents .
This scenario talks about configuring NAAS for BANGALORE. The NAAS Agent is configured for the S2 eDirectory server hosting the following partitions:
BANGALORE is audited based on its default configuration.
For every object in ROOT, NAAS searches only three levels up to find the associated Event policy. Therefore, SILVEROAK is not audited because the objects are not associated to any event policies.
Event policies should be associated to SILVEROAK, in order to audit it. This can be done by associating required event policies to SILVEROAK. The policies associated to SILVEROAK will be effective to all the objects in that partition and policies associated to BANGALORE will be effective only to the objects in BANGALORE. If you have created and associated new Event policies, required rights should be provided based on the steps given in Granting Rights to NAAS Agents .
This scenario talks about configuring NAAS for DELHI. The NAAS Agent is configured for the any eDirectory server under DELHI hosting the following partitions:
DELHI is audited based on its default configuration.
D1, D2, D3, and D4 are audited depending on the setup. The objects in these partitions that are not associated to any event policies will not be audited. For every object in the partitions NAAS searches only three levels up to find the associated Event policy. If necessary, the user can change the search policy so that the search for an effective policy goes up higher than three levels.
Therefore, to audit D1, D2, D3, and D4 you need to either associate event policies to those partitions or set the search policy for these partitions at a suitable level so that it obtains a policy by searching upwards. If you have created and associated new Event policies, required rights should be provided based on the steps given in Granting Rights to NAAS Agents .
In the current setup, objects in D1, D2 and D3 can use the Event polices created by Default configuration of DELHI, since the default search level is 3.
This scenario talks about configuring NAAS for INDIA. The NAAS Agent is configured for the any eDirectory server under INDIA hosting the following partitions:
INDIA is audited based on its default configuration.
For every object in JAPAN, NAAS searches only three levels up to find the associated Event policy. Therefore, JAPAN is not audited because the objects are not associated to any event policies.
Event policies should be associated to Japan, in order to audit it. This can be done by associating required event policies to JAPAN. If you have created and associated new Event policies, required rights should be provided based on the steps given in Granting Rights to NAAS Agents .
By default, BOMBAY is audited. For every object in the partitions NAAS searches only three levels up to find the associated Event policy and it will find the event Policies present in the partition INDIA. Therefore, those objects present in deep levels inside the partition INDIA might not have the Event policy associated. You might need to associate a high-level search policy or associate an Event policy directly. If you have created and associated new Event policies, required rights should be provided based on the steps given in Granting Rights to NAAS Agents .
Assume that a NAAS Agent is Auditing Partition X and a NAAS Event policy is associated to the Partition X. The agent queries for the policies associated with the objects in the partition. The Agent needs the Read right to the naasPolLink and naasSearchPolLink attributes for all the objects in the partition. Also, when the agent finds an associated event policy, it should read its contents. Therefore, the agent must have Read access to the event policy
When the Default Configuration Utility is used to configure NAAS for a Partition, the above rights are provided by default. In case the Event policy is associated manually to any new partition, give the following rights:
The following conditions should be considered when using the Default Configuration utility regarding reporting.
When configuring a NAAS Agent for a NAAS Server that hosts more than one partition, auditing is enabled for all the hosted partitions based on the policies associated. But a user is configured as an Auditor for only one partition. Therefore, the user would receive report only for that partition.
To receive the audit data of other partitions add the partitions to the Auditor Query Domain and grant the Auditor the Read right to the naasTrail attribute for the all partitions being added. For more information, refer to Scenarios for Reporting in Multipartition Auditing .
The Auditor Query Domain has an attribute called Partition Boundary.
On the Properties page of the Auditor Query Domain, a list of domain roots and a check box for Partition boundary are provided. The lists of objects in the domain are calculated based on these attributes. If Partition Boundary is checked, then the scope will limit itself to the respective partition boundaries of the domain roots. If the Partition Boundary is unchecked, then the scope includes all objects under the domain roots and all the child partitions hierarchically under the listed domain roots.
This section describes a few scenarios. The following figure depicts a sample eDirectory Tree. For each scenario an abstract section of the tree is considered and the impact of NAAS configuration and auditing is explained.
This scenario talks about configuring NAAS for BANGALORE. The NAAS Agent is configured for the S1 eDirectory server hosting the following partitions:
If the Event polices are associated to BOMBAY, then auditing is enabled for both BOMBA Y and BANGALORE. Because the Auditor Query Domain associated to the Auditor by default has only the partition BANGALORE, the Auditor can view only BANGALORE related data. To view BOMBAY-related data, perform the following steps.
Add the partition BOMBAY to the Auditor Query Domain.
Grant the Auditor the Read rights to the naasTrail attribute for the entire partition.
This scenario talks about configuring NAAS for DELHI. The NAAS Agent is configured for the DELHI eDirectory server hosting the following partitions.
If appropriate Event policies are associated to D1, D2, D3, and D4 and auditing is enabled for all these partitions, then by default, the Audit Query Domain is set for DELHI. Therefore, the Auditor would receive Audit data only for DELHI. To also receive audit data for all the Partitions D1, D2, D3 and D4 do either of the following: